Merge pull request #36 from olszomal/cabverify

CAB files support - Extracting, attaching, removing and verifying the signature - Signing with the nested signature - Enable tests for CAB files
2025-04-05 09:08:04 -05:00 · 2020-03-27 06:24:48 +01:00 · 2020-03-27 06:24:48 +01:00 · 2830ab5795
commit 2830ab5795
parent 20236fb677 ee17261eaf
22 changed files with 1094 additions and 338 deletions
--- a/osslsigncode.c
+++ b/osslsigncode.c
@ -166,8 +166,28 @@ typedef unsigned char u_char;
 #define WIN_CERT_REVISION_2             0x0200
 #define WIN_CERT_TYPE_PKCS_SIGNED_DATA  0x0002
 /*
 * FLAG_PREV_CABINET is set if the cabinet file is not the first in a set
 * of cabinet files. When this bit is set, the szCabinetPrev and szDiskPrev
 * fields are present in this CFHEADER.
 */
 #define FLAG_PREV_CABINET 0x0001
 /*
 * FLAG_NEXT_CABINET is set if the cabinet file is not the last in a set of
 * cabinet files. When this bit is set, the szCabinetNext and szDiskNext
 * fields are present in this CFHEADER.
 */
 #define FLAG_NEXT_CABINET 0x0002
 /*
 * FLAG_RESERVE_PRESENT is set if the cabinet file contains any reserved
 * fields. When this bit is set, the cbCFHeader, cbCFFolder, and cbCFData
 * fields are present in this CFHEADER.
 */
 #define FLAG_RESERVE_PRESENT 0x0004
 #define INVALID_TIME ((time_t)-1)
 /*
  ASN.1 definitions (more or less from official MS Authenticode docs)
 */
@ -1155,6 +1175,8 @@ static void help_for(const char *argv0, const char *cmd) {
 #define DO_EXIT_1(x, y) { fprintf(stderr, x, y); goto err_cleanup; }
 #define DO_EXIT_2(x, y, z) { fprintf(stderr, x, y, z); goto err_cleanup; }
 #define GET_UINT8_LE(p) ((u_char*)(p))[0]
 #define GET_UINT16_LE(p) (((u_char*)(p))[0] | (((u_char*)(p))[1]<<8))
 #define GET_UINT32_LE(p) (((u_char*)(p))[0] | (((u_char*)(p))[1]<<8) |	\
@ -2056,6 +2078,9 @@ static int verify_pkcs7(PKCS7 *p7, char *leafhash, char *cafile, char *crlfile,
 }
 #ifdef WITH_GSF
 /*
 * MSI file support
 */
 static gint msi_base64_decode(gint x)
 {
 	if (x < 10)
@ -2430,24 +2455,19 @@ static int msi_verify_pkcs7(PKCS7 *p7, GsfInfile *infile,
 #endif
 	printf("\n");
 	ret |= verify_pkcs7(p7, leafhash, cafile, crlfile, untrusted);
-
+	printf("\n");
 	if (allownest) {
 		int has_sig = 0;
 		PKCS7 *p7nest = pkcs7_get_nested_signature(p7, &has_sig);
 		if (p7nest) {
 			printf("\n");
 			int nest_ret = msi_verify_pkcs7(p7nest, infile, exdata, exlen, leafhash, 0, cafile, crlfile, untrusted);
 			if (ret)
 				ret = nest_ret;
 			PKCS7_free(p7nest);
 		} else if (!p7nest && has_sig) {
-			printf("\nFailed to decode nested signature!\n");
+			printf("Failed to decode nested signature!\n");
 			ret = 1;
 		} else {
 			printf("\n");
 		}
 	} else {
 		printf("\n");
 	}
 out:
 	return ret;
@ -2665,6 +2685,9 @@ out:
 #endif
 /*
 * PE file support
 */
 static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf,
 	size_t peheader, int pe32plus, size_t fileend)
 {
@ -2818,24 +2841,19 @@ static int verify_pe_pkcs7(PKCS7 *p7, char *indata, size_t peheader,
 	}
 	ret |= verify_pkcs7(p7, leafhash, cafile, crlfile, untrusted);
-
+	printf("\n");
 	if (allownest) {
 		int has_sig = 0;
 		PKCS7 *p7nest = pkcs7_get_nested_signature(p7, &has_sig);
 		if (p7nest) {
 			printf("\n");
 			int nest_ret = verify_pe_pkcs7(p7nest, indata, peheader, pe32plus, sigpos, siglen, leafhash, 0, cafile, crlfile, untrusted);
 			if (ret)
 				ret = nest_ret;
 			PKCS7_free(p7nest);
 		} else if (!p7nest && has_sig) {
-			printf("\nFailed to decode nested signature!\n");
+			printf("Failed to decode nested signature!\n");
 			ret = 1;
 		} else {
 			printf("\n");
 		}
 	} else {
 		printf("\n");
 	}
 	return ret;
@ -2895,9 +2913,585 @@ static int verify_pe_file(char *indata, size_t peheader, int pe32plus,
 	ret = verify_pe_pkcs7(p7, indata, peheader, pe32plus, sigpos, siglen, leafhash, 1, cafile, crlfile, untrusted);
 	PKCS7_free(p7);
 	return ret;
 }
 static int extract_pe_file(char *indata, size_t sigpos, size_t siglen, BIO *outdata, int output_pkcs7)
 {
 	int ret = 0;
 	PKCS7 *sig;
 	(void)BIO_reset(outdata);
 	if (output_pkcs7) {
 		sig = extract_existing_pe_pkcs7(indata, sigpos, siglen);
 		if (!sig) {
 			fprintf(stderr, "Unable to extract existing signature\n");
 			return 1; /* FAILED */
 		}
 		ret = !PEM_write_bio_PKCS7(outdata, sig);
 		} else {
 			ret = !BIO_write(outdata, indata + sigpos, siglen);
 	}
 	return ret;
 }
 static void sign_pe_file(char *indata, size_t i , int pe32plus, size_t *fileend, BIO *hash, BIO *outdata)
 {
 	int len = 0;
 	static char buf[64*1024];
 	BIO_write(hash, indata, i);
 	memset(buf, 0, 4);
 	BIO_write(outdata, buf, 4); /* zero out checksum */
 	i += 4;
 	BIO_write(hash, indata + i, 60+pe32plus*16);
 	i += 60+pe32plus*16;
 	memset(buf, 0, 8);
 	BIO_write(outdata, buf, 8); /* zero out sigtable offset + pos */
 	i += 8;
 	BIO_write(hash, indata + i, *fileend - i);
 	/* pad (with 0's) pe file to 8 byte boundary */
 	len = 8 - *fileend % 8;
 	if (len > 0 && len != 8) {
 		memset(buf, 0, len);
 		BIO_write(hash, buf, len);
 		*fileend += len;
 	}
 }
 /*
 * CAB file support
 * https://www.file-recovery.com/cab-signature-format.htm
 */
 static int verify_cab_header(char *indata, char *infile, cmd_type_t cmd,
 			size_t filesize, size_t *header_size, size_t *sigpos, size_t *siglen)
 {
 	int ret = 1;
 	size_t reserved, flags = 0;
 	if (filesize < 44)	{
 		printf("Corrupt cab file - too short: %s\n", infile);
 		ret = 0; /* FAILED */
 	}
 	reserved = GET_UINT32_LE(indata + 4);
 	if (reserved) {
 		printf("Reserved1: 0x%08lX\n", reserved);
 		ret = 0; /* FAILED */
 	}
 	/* flags specify bit-mapped values that indicate the presence of optional data */
 	flags = GET_UINT16_LE(indata + 30);
 #if 1
 	if (flags & FLAG_PREV_CABINET) {
 			/* FLAG_NEXT_CABINET works */
 			printf("Multivolume cabinet file is unsupported: flags 0x%04lX\n", flags);
 			ret = 0; /* FAILED */
 	}
 #endif
 	if (!(flags & FLAG_RESERVE_PRESENT) &&
 			(cmd == CMD_REMOVE || cmd == CMD_EXTRACT)) {
 		printf("CAB file does not have any signature: %s\n", infile);
 		ret = 0; /* FAILED */
 	}
 	if (flags & FLAG_RESERVE_PRESENT) {
 		/*
 		* Additional headers is located at offset 36 (cbCFHeader, cbCFFolder, cbCFData);
 		* size of header (4 bytes, little-endian order) must be 20 (checkpoint).
 		*/
 		*header_size = GET_UINT32_LE(indata + 36);
 		if (*header_size != 20) {
 			printf("Additional header size: 0x%08lX\n", *header_size);
 			ret = 0; /* FAILED */
 		}
 		reserved = GET_UINT32_LE(indata + 40);
 		if (reserved != 0x00100000) {
 			printf("abReserved: 0x%08lX\n", reserved);
 			ret = 0; /* FAILED */
 		}
 		/*
 		* File size is defined at offset 8, however if additional header exists, this size is not valid.
 		* sigpos - additional data offset is located at offset 44 (from file beginning)
 		* and consist of 4 bytes (little-endian order)
 		* siglen - additional data size is located at offset 48 (from file beginning)
 		* and consist of 4 bytes (little-endian order)
 		* If there are additional headers, size of the CAB archive file is calcualted
 		* as additional data offset plus additional data size.
 		*/
 		*sigpos = GET_UINT32_LE(indata + 44);
 		*siglen = GET_UINT32_LE(indata + 48);
 		if (*sigpos < filesize && *sigpos + *siglen != filesize) {
 			printf("Additional data offset:\t%lu bytes\nAdditional data size:\t%lu bytes\n", *sigpos, *siglen);
 			printf("File size:\t\t%lu bytes\n", filesize);
 			ret = 0; /* FAILED */
 		}
 	}
 	return ret;
 }
 static int calc_cab_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf, size_t offset)
 {
 	size_t coffFiles, nfolders, flags;
 	static unsigned char bfb[16*1024*1024];
 	EVP_MD_CTX *mdctx;
 	mdctx = EVP_MD_CTX_new();
 	EVP_DigestInit(mdctx, md);
 	memset(mdbuf, 0, EVP_MAX_MD_SIZE);
 	(void)BIO_seek(bio, 0);
 	/* u1 signature[4] 4643534D MSCF: 0-3 */
 	BIO_read(bio, bfb, 4);
 	EVP_DigestUpdate(mdctx, bfb, 4);
 	/* u4 reserved1 00000000: 4-7 */
 	BIO_read(bio, bfb, 4);
 	/*
 	 * u4 cbCabinet - size of this cabinet file in bytes: 8-11
 	 * u4 reserved2 00000000: 12-15
 	 */
 	BIO_read(bio, bfb, 8);
 	EVP_DigestUpdate(mdctx, bfb, 8);
 	 /* u4 coffFiles - offset of the first CFFILE entry: 16-19 */
 	BIO_read(bio, bfb, 4);
 	coffFiles = GET_UINT32_LE(bfb);
 	EVP_DigestUpdate(mdctx, bfb, 4);
 	/*
 	 * u4 reserved3 00000000: 20-23
 	 * u1 versionMinor 03: 24
 	 * u1 versionMajor 01: 25
 	 */
 	BIO_read(bio, bfb, 6);
 	EVP_DigestUpdate(mdctx, bfb, 6);
 	/* u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27 */
 	BIO_read(bio, bfb, 2);
 	nfolders = GET_UINT16_LE(bfb);
 	EVP_DigestUpdate(mdctx, bfb, 2);
 	/* u2 cFiles - number of CFFILE entries in this cabinet: 28-29 */
 	BIO_read(bio, bfb, 2);
 	EVP_DigestUpdate(mdctx, bfb, 2);
 	/* u2 flags: 30-31 */
 	BIO_read(bio, bfb, 2);
 	flags = GET_UINT16_LE(bfb);
 	EVP_DigestUpdate(mdctx, bfb, 2);
 	/* u2 setID must be the same for all cabinets in a set: 32-33 */
 	BIO_read(bio, bfb, 2);
 	EVP_DigestUpdate(mdctx, bfb, 2);
 	/*
 	* u2 iCabinet - number of this cabinet file in a set: 34-35
 	* u2 cbCFHeader: 36-37
 	* u1 cbCFFolder: 38
 	* u1 cbCFData: 39
 	* u22 abReserve: 40-55
 	* - Additional data offset: 44-47
 	* - Additional data size: 48-51
 	*/
 	BIO_read(bio, bfb, 22);
 	/* u22 abReserve: 56-59 */
 	BIO_read(bio, bfb, 4);
 	EVP_DigestUpdate(mdctx, bfb, 4);
 	/* TODO */
 	if (flags & FLAG_PREV_CABINET) {
 		/* szCabinetPrev */
 		do {
 			BIO_read(bio, bfb, 1);
 			EVP_DigestUpdate(mdctx, bfb, 1);
 		} while (bfb[0]);
 		/* szDiskPrev */
 		do {
 			BIO_read(bio, bfb, 1);
 			EVP_DigestUpdate(mdctx, bfb, 1);
 		} while (bfb[0]);
 	}
 	if (flags & FLAG_NEXT_CABINET) {
 		/* szCabinetNext */
 		do {
 			BIO_read(bio, bfb, 1);
 			EVP_DigestUpdate(mdctx, bfb, 1);
 		} while (bfb[0]);
 		/* szDiskNext */
 		do {
 			BIO_read(bio, bfb, 1);
 			EVP_DigestUpdate(mdctx, bfb, 1);
 		} while (bfb[0]);
 	}
 	/*
 	 * (u8 * cFolders) CFFOLDER - structure contains information about
 	 * one of the folders or partial folders stored in this cabinet file
 	 */
 	while (nfolders) {
 		BIO_read(bio, bfb, 8);
 		EVP_DigestUpdate(mdctx, bfb, 8);
 		nfolders--;
 	}
 	/* (variable) ab - the compressed data bytes */
 	while (coffFiles < offset) {
 		size_t want = offset - coffFiles;
 		if (want > sizeof(bfb))
 			want = sizeof(bfb);
 		int l = BIO_read(bio, bfb, want);
 		if (l <= 0)
 			break;
 		EVP_DigestUpdate(mdctx, bfb, l);
 		coffFiles += l;
 	}
 	EVP_DigestFinal(mdctx, mdbuf, NULL);
 	EVP_MD_CTX_free(mdctx);
 	return 0; /* OK */
 }
 static int verify_cab_pkcs7(PKCS7 *p7, char *indata, size_t sigpos, char *leafhash,
 		int allownest, char *cafile, char *crlfile, char *untrusted)
 {
 	int ret = 0;
 	int mdtype = -1, phtype = -1;
 	unsigned char mdbuf[EVP_MAX_MD_SIZE];
 	unsigned char cmdbuf[EVP_MAX_MD_SIZE];
 	char hexbuf[EVP_MAX_MD_SIZE*2+1];
 	unsigned char *ph = NULL;
 	size_t phlen = 0;
 	BIO *bio = NULL;
 	ASN1_OBJECT *indir_objid = OBJ_txt2obj(SPC_INDIRECT_DATA_OBJID, 1);
 	if (PKCS7_type_is_signed(p7) &&
 		!OBJ_cmp(p7->d.sign->contents->type, indir_objid) &&
 		p7->d.sign->contents->d.other->type == V_ASN1_SEQUENCE) {
 		ASN1_STRING *astr = p7->d.sign->contents->d.other->value.sequence;
 		const unsigned char *p = astr->data;
 		SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, astr->length);
 		if (idc) {
 			extract_page_hash(idc->data, &ph, &phlen, &phtype);
 			if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) {
 				mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm);
 				memcpy(mdbuf, idc->messageDigest->digest->data, idc->messageDigest->digest->length);
 			}
 			SpcIndirectDataContent_free(idc);
 		}
 	}
 	ASN1_OBJECT_free(indir_objid);
 	if (mdtype == -1) {
 		printf("Failed to extract current message digest\n\n");
 		return -1; /* FAILED */
 	}
 	printf("Message digest algorithm  : %s\n", OBJ_nid2sn(mdtype));
 	const EVP_MD *md = EVP_get_digestbynid(mdtype);
 	tohex(mdbuf, hexbuf, EVP_MD_size(md));
 	printf("Current message digest    : %s\n", hexbuf);
 	bio = BIO_new_mem_buf(indata, sigpos);
 	ret |= calc_cab_digest(bio, md, cmdbuf, sigpos);
 	BIO_free(bio);
 	tohex(cmdbuf, hexbuf, EVP_MD_size(md));
 	int mdok = !memcmp(mdbuf, cmdbuf, EVP_MD_size(md));
 	if (!mdok)
 		ret = 1; /* FAILED */
 	printf("Calculated message digest : %s%s\n\n", hexbuf, mdok?"":"    MISMATCH!!!");
 	ret |= verify_pkcs7(p7, leafhash, cafile, crlfile, untrusted);
 	printf("\n");
 	if (allownest) {
 		int has_sig = 0;
 		PKCS7 *p7nest = pkcs7_get_nested_signature(p7, &has_sig);
 		if (p7nest) {
 			int nest_ret = verify_cab_pkcs7(p7nest, indata, sigpos, leafhash, 0, cafile, crlfile, untrusted);
 			if (ret == 0)
 				ret = nest_ret;
 			PKCS7_free(p7nest);
 		} else if (!p7nest && has_sig) {
 			printf("Failed to decode nested signature!\n");
 			ret = 1;
 		}
 	}
 	return ret;
 }
 static PKCS7 *extract_existing_cab_pkcs7(char *indata, size_t sigpos, size_t siglen)
 {
 	PKCS7 *p7 = NULL;
 	const unsigned char *blob;
 	blob = (unsigned char*)indata + sigpos;
 	p7 = d2i_PKCS7(NULL, &blob, siglen);
 	return p7;
 }
 static int verify_cab_file(char *indata, size_t header_size, size_t sigpos, size_t siglen,
 			char *leafhash, char *cafile, char *crlfile, char *untrusted)
 {
 	PKCS7 *p7;
 	int ret = 0;
 	if (header_size != 20) {
 		printf("No signature found\n\n");
 		return 1; /* FAILED */
 	}
 	p7 = extract_existing_cab_pkcs7(indata, sigpos, siglen);
 	if (p7 == NULL) {
 		printf("Failed to extract PKCS7 data\n\n");
 		return -1; /* FAILED */
 	}
 	ret |= verify_cab_pkcs7(p7, indata, sigpos, leafhash, 1, cafile, crlfile, untrusted);
 	PKCS7_free(p7);
 	return ret;
 }
 static int extract_cab_file(char *indata, size_t sigpos, size_t siglen, BIO *outdata, int output_pkcs7)
 {
 	int ret = 0;
 	PKCS7 *sig;
 	(void)BIO_reset(outdata);
 	if (output_pkcs7) {
 		sig = extract_existing_cab_pkcs7(indata, sigpos, siglen);
 		if (!sig) {
 			fprintf(stderr, "Unable to extract existing signature\n");
 			return 1; /* FAILED */
 		}
 		ret = !PEM_write_bio_PKCS7(outdata, sig);
 	} else {
 		ret = !BIO_write(outdata, indata + sigpos, siglen);
 	}
 	return ret;
 }
 static void write_optional_names(size_t flags, char *indata, BIO *outdata, int *len)
 {
 	int i;
 	i = *len;
 	/* TODO */
 	if (flags & FLAG_PREV_CABINET) {
 		/* szCabinetPrev */
 		while (GET_UINT8_LE(indata+i)) {
 			BIO_write(outdata, indata+i, 1);
 			i++;
 		}
 		BIO_write(outdata, indata+i, 1);
 		i++;
 		/* szDiskPrev */
 		while (GET_UINT8_LE(indata+i)) {
 			BIO_write(outdata, indata+i, 1);
 			i++;
 		}
 		BIO_write(outdata, indata+i, 1);
 		i++;
 	}
 	if (flags & FLAG_NEXT_CABINET) {
 		/* szCabinetNext */
 		while (GET_UINT8_LE(indata+i)) {
 			BIO_write(outdata, indata+i, 1);
 			i++;
 		}
 		BIO_write(outdata, indata+i, 1);
 		i++;
 		/* szDiskNext */
 		while (GET_UINT8_LE(indata+i)) {
 			BIO_write(outdata, indata+i, 1);
 			i++;
 		}
 		BIO_write(outdata, indata+i, 1);
 		i++;
 	}
 	*len = i;
 }
 static void remove_cab_file(char *indata, size_t siglen, size_t filesize, BIO *outdata)
 {
 	int i;
 	unsigned short nfolders;
 	size_t tmp, flags;
 	static char buf[64*1024];
 	/*
 	 * u1 signature[4] 4643534D MSCF: 0-3
 	 * u4 reserved1 00000000: 4-7
 	 */
 	BIO_write(outdata, indata, 8);
 	/* u4 cbCabinet - size of this cabinet file in bytes: 8-11 */
 	tmp = GET_UINT32_LE(indata+8) - 24;
 	PUT_UINT32_LE(tmp, buf);
 	BIO_write(outdata, buf, 4);
 	/* u4 reserved2 00000000: 12-15 */
 	BIO_write(outdata, indata+12, 4);
 	/* u4 coffFiles - offset of the first CFFILE entry: 16-19 */
 	tmp = GET_UINT32_LE(indata+16) - 24;
 	PUT_UINT32_LE(tmp, buf);
 	BIO_write(outdata, buf, 4);
 	/*
 	 * u4 reserved3 00000000: 20-23
 	 * u1 versionMinor 03: 24
 	 * u1 versionMajor 01: 25
 	 * u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27
 	 * u2 cFiles - number of CFFILE entries in this cabinet: 28-29
 	 */
 	BIO_write(outdata, indata+20, 10);
 	/* u2 flags: 30-31 */
 	flags = GET_UINT16_LE(indata+30);
 	PUT_UINT32_LE(flags & (FLAG_PREV_CABINET | FLAG_NEXT_CABINET), buf);
 	BIO_write(outdata, buf, 2);
 	/*
 	 * u2 setID must be the same for all cabinets in a set: 32-33
 	 * u2 iCabinet - number of this cabinet file in a set: 34-35
 	 */
 	BIO_write(outdata, indata+32, 4);
 	i = 60;
 	write_optional_names(flags, indata, outdata, &i);
 	/*
 	 * (u8 * cFolders) CFFOLDER - structure contains information about
 	 * one of the folders or partial folders stored in this cabinet file
 	 */
 	nfolders = GET_UINT16_LE(indata + 26);
 	while (nfolders) {
 		tmp = GET_UINT32_LE(indata+i);
 		tmp -= 24;
 		PUT_UINT32_LE(tmp, buf);
 		BIO_write(outdata, buf, 4);
 		BIO_write(outdata, indata+i+4, 4);
 		i+=8;
 		nfolders--;
 	}
 	/* Write what's left - the compressed data bytes */
 	BIO_write(outdata, indata+i, filesize-siglen-i);
 }
 static void modify_cab_header(char *indata, size_t fileend, BIO *hash, BIO *outdata)
 {
 	int i;
 	unsigned short nfolders;
 	size_t flags;
 	static char buf[64*1024];
 	/* u1 signature[4] 4643534D MSCF: 0-3 */
 	BIO_write(hash, indata, 4);
 	/* u4 reserved1 00000000: 4-7 */
 	BIO_write(outdata, indata+4, 4);
 	/*
 	 * u4 cbCabinet - size of this cabinet file in bytes: 8-11
 	 * u4 reserved2 00000000: 12-15
 	 * u4 coffFiles - offset of the first CFFILE entry: 16-19
 	 * u4 reserved3 00000000: 20-23
 	 * u1 versionMinor 03: 24
 	 * u1 versionMajor 01: 25
 	 * u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27
 	 * u2 cFiles - number of CFFILE entries in this cabinet: 28-29
 	 */
 	BIO_write(hash, indata+8, 22);
 	/* u2 flags: 30-31 */
 	flags = GET_UINT16_LE(indata+30);
 	PUT_UINT32_LE(flags, buf);
 	BIO_write(hash, buf, 2);
 	/* u2 setID must be the same for all cabinets in a set: 32-33 */
 	BIO_write(hash, indata+32, 2);
 	/*
 	 * u2 iCabinet - number of this cabinet file in a set: 34-35
 	 * u2 cbCFHeader: 36-37
 	 * u1 cbCFFolder: 38
 	 * u1 cbCFData: 39
 	 * u22 abReserve: 40-43
 	 * - Additional data offset: 44-47
 	 * - Additional data size: 48-51
 	 */
 	BIO_write(outdata, indata+34, 22);
 	/* u24 abReserve: 52-59 */
 	BIO_write(hash, indata+56, 4);
 	i = 60;
 	write_optional_names(flags, indata, hash, &i);
 	/*
 	 * (u8 * cFolders) CFFOLDER - structure contains information about
 	 * one of the folders or partial folders stored in this cabinet file
 	 */
 	nfolders = GET_UINT16_LE(indata + 26);
 	while (nfolders) {
 		BIO_write(hash, indata+i, 8);
 		i+=8;
 		nfolders--;
 	}
 	/* Write what's left - the compressed data bytes */
 	BIO_write(hash, indata+i, fileend-i);
 }
 static void add_cab_header(char *indata, size_t fileend, BIO *hash, BIO *outdata)
 {
 	int i;
 	unsigned short nfolders;
 	size_t tmp, flags;
 	static char buf[64*1024];
 	u_char cabsigned[] = {
 		0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
 		0xde, 0xad, 0xbe, 0xef, /* size of cab file */
 		0xde, 0xad, 0xbe, 0xef, /* size of asn1 blob */
 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 	};
 	/* u1 signature[4] 4643534D MSCF: 0-3 */
 	BIO_write(hash, indata, 4);
 	/* u4 reserved1 00000000: 4-7 */
 	BIO_write(outdata, indata+4, 4);
 	/* u4 cbCabinet - size of this cabinet file in bytes: 8-11 */
 	tmp = GET_UINT32_LE(indata+8) + 24;
 	PUT_UINT32_LE(tmp, buf);
 	BIO_write(hash, buf, 4);
 	/* u4 reserved2 00000000: 12-15 */
 	BIO_write(hash, indata+12, 4);
 	/* u4 coffFiles - offset of the first CFFILE entry: 16-19 */
 	tmp = GET_UINT32_LE(indata+16) + 24;
 	PUT_UINT32_LE(tmp, buf+4);
 	BIO_write(hash, buf+4, 4);
 	/*
 	 * u4 reserved3 00000000: 20-23
 	 * u1 versionMinor 03: 24
 	 * u1 versionMajor 01: 25
 	 * u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27
 	 * u2 cFiles - number of CFFILE entries in this cabinet: 28-29
 	 */
 	memcpy(buf+4, indata+20, 10);
 	flags = GET_UINT16_LE(indata+30);
 	buf[4+10] = flags | FLAG_RESERVE_PRESENT;
 	/* u2 setID must be the same for all cabinets in a set: 32-33 */
 	memcpy(buf+16, indata+32, 2);
 	BIO_write(hash, buf+4, 14);
 	/* u2 iCabinet - number of this cabinet file in a set: 34-35 */
 	BIO_write(outdata, indata+34, 2);
 	memcpy(cabsigned+8, buf, 4);
 	BIO_write(outdata, cabsigned, 20);
 	BIO_write(hash, cabsigned+20, 4);
 	i = 36;
 	write_optional_names(flags, indata, hash, &i);
 	/*
 	 * (u8 * cFolders) CFFOLDER - structure contains information about
 	 * one of the folders or partial folders stored in this cabinet file
 	 */
 	nfolders = GET_UINT16_LE(indata + 26);
 	while (nfolders) {
 		tmp = GET_UINT32_LE(indata+i);
 		tmp += 24;
 		PUT_UINT32_LE(tmp, buf);
 		BIO_write(hash, buf, 4);
 		BIO_write(hash, indata+i+4, 4);
 		i+=8;
 		nfolders--;
 	}
 	/* Write what's left - the compressed data bytes */
 	BIO_write(hash, indata+i, fileend-i);
 }
 static STACK_OF(X509) *PEM_read_certs_with_pass(BIO *bin, char *certpass)
 {
 	STACK_OF(X509) *certs = sk_X509_new_null();
@ -3073,6 +3667,7 @@ int main(int argc, char **argv) {
 	file_type_t type;
 	cmd_type_t cmd = CMD_SIGN;
 	char *failarg = NULL;
 	size_t header_size = 0, sigpos = 0, siglen = 0;
 	static u_char purpose_ind[] = {
 		0x30, 0x0c,
@ -3495,9 +4090,6 @@ int main(int argc, char **argv) {
 		DO_EXIT_1("Unrecognized file type: %s\n", infile);
 	}
 	if (cmd != CMD_SIGN && !(type == FILE_TYPE_PE || type == FILE_TYPE_MSI))
 		DO_EXIT_1("Command is not supported for non-PE/non-MSI files: %s\n", infile);
 	hash = BIO_new(BIO_f_md());
 	BIO_set_md(hash, md);
@ -3508,12 +4100,9 @@ int main(int argc, char **argv) {
 		if (add_msi_dse == 1)
 			fprintf(stderr, "Warning: -add-msi-dse option is only valid for MSI files\n");
 #endif
-		if (nest == 1)
+		if (!verify_cab_header(indata, infile, cmd, filesize, &header_size, &sigpos, &siglen))
-			fprintf(stderr, "Error: -nest option is only valid for PE/MSI files\n");
+			goto err_cleanup;
-		if (filesize < 44)
+
 			DO_EXIT_1("Corrupt cab file - too short: %s\n", infile);
 		if (indata[0x1e] != 0x00 || indata[0x1f] != 0x00)
 			DO_EXIT_0("Cannot sign CAB files with flag bits set!\n"); /* FLAG_RESERVE_PRESENT */
 	} else if (type == FILE_TYPE_PE) {
 		if (filesize < 64)
 			DO_EXIT_1("Corrupt DOS file - too short: %s\n", infile);
@ -3673,55 +4262,31 @@ int main(int argc, char **argv) {
 	}
 	if (type == FILE_TYPE_CAB) {
-		unsigned short nfolders;
+		if (cmd == CMD_EXTRACT) {
-		size_t tmp;
+			ret = extract_cab_file(indata, sigpos, siglen, outdata, output_pkcs7);
-
+			goto skip_signing;
 		u_char cabsigned[] = {
 			0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
 			0xde, 0xad, 0xbe, 0xef, /* size of cab file */
 			0xde, 0xad, 0xbe, 0xef, /* size of asn1 blob */
 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 		};
 		BIO_write(hash, indata, 4);
 		BIO_write(outdata, indata+4, 4);
 		tmp = GET_UINT32_LE(indata+8) + 24;
 		PUT_UINT32_LE(tmp, buf);
 		BIO_write(hash, buf, 4);
 		BIO_write(hash, indata+12, 4);
 		tmp = GET_UINT32_LE(indata+16) + 24;
 		PUT_UINT32_LE(tmp, buf+4);
 		BIO_write(hash, buf+4, 4);
        /*
         * FLAG_RESERVE_PRESENT is set if this cabinet file contains any reserved fields.
         * When this bit is set, the cbCFHeader, cbCFFolder, and cbCFData fields are present in the CFHEADER.
         * https://www.file-recovery.com/cab-signature-format.htm
         */
 		memcpy(buf+4, indata+20, 14);
 		buf[4+10] = 0x04; /* FLAG_RESERVE_PRESENT */
 		BIO_write(hash, buf+4, 14);
 		BIO_write(outdata, indata+34, 2);
 		memcpy(cabsigned+8, buf, 4);
 		BIO_write(outdata, cabsigned, 20);
 		BIO_write(hash, cabsigned+20, 4); /* ??? or possibly the previous 4 bytes instead? */
 		nfolders = indata[26] | (indata[27] << 8);
 		for (i = 36; nfolders; nfolders--, i+=8) {
 			tmp = GET_UINT32_LE(indata+i);
 			tmp += 24;
 			PUT_UINT32_LE(tmp, buf);
 			BIO_write(hash, buf, 4);
 			BIO_write(hash, indata+i+4, 4);
 		}
 		if (cmd == CMD_REMOVE) {
 			remove_cab_file(indata, siglen, filesize, outdata);
 			goto skip_signing;
 		}
 		if (cmd == CMD_VERIFY) {
 			ret = verify_cab_file(indata, header_size, sigpos, siglen, leafhash, cafile, crlfile, untrusted);
 			goto skip_signing;
 		}
 		if ((cmd == CMD_SIGN && nest) || (cmd == CMD_ATTACH && nest) || cmd == CMD_ADD) {
 			cursig = extract_existing_cab_pkcs7(indata, sigpos, siglen);
 			if (!cursig)
 				DO_EXIT_0("Unable to extract existing signature\n");
 			if (cmd == CMD_ADD)
 				sig = cursig;
 		}
 		if (header_size == 20)
 			/* Strip current signature and modify header */
 			modify_cab_header(indata, sigpos, hash, outdata);
 		else
 			add_cab_header(indata, fileend, hash, outdata);
 		/* Write what's left */
 		BIO_write(hash, indata+i, filesize-i);
 	} else if (type == FILE_TYPE_PE) {
 		size_t sigpos, siglen;
 		unsigned int nrvas;
@ -3751,30 +4316,21 @@ int main(int argc, char **argv) {
 		/* Since fix for MS Bulletin MS12-024 we can really assume
 		   that signature should be last part of file */
-		if (sigpos > 0 && sigpos + siglen != filesize)
+		if (sigpos > 0 && sigpos < filesize && sigpos + siglen != filesize)
 			DO_EXIT_1("Corrupt PE file - current signature not at end of file: %s\n", infile);
 		if ((cmd == CMD_REMOVE || cmd == CMD_EXTRACT) && sigpos == 0)
 			DO_EXIT_1("PE file does not have any signature: %s\n", infile);
 		if (cmd == CMD_EXTRACT) {
-			/* A lil' bit of ugliness. Reset stream, write signature and skip forward */
+			ret = extract_pe_file(indata, sigpos ? sigpos : fileend, siglen, outdata, output_pkcs7);
 			(void)BIO_reset(outdata);
 			if (output_pkcs7) {
 				sig = extract_existing_pe_pkcs7(indata, sigpos ? sigpos : fileend, siglen);
 				if (!sig)
 					DO_EXIT_0("Unable to extract existing signature\n");
 				PEM_write_bio_PKCS7(outdata, sig);
 			} else {
 				BIO_write(outdata, indata + sigpos, siglen);
 			}
 			goto skip_signing;
 		}
 		if ((cmd == CMD_SIGN && nest) || (cmd == CMD_ATTACH && nest) || cmd == CMD_ADD) {
 			cursig = extract_existing_pe_pkcs7(indata, sigpos ? sigpos : fileend, siglen);
 			if (cursig == NULL) {
-				DO_EXIT_0("Unable to extract existing signature in -nest mode\n");
+				DO_EXIT_0("Unable to extract existing signature\n");
 			}
 			if (cmd == CMD_ADD) {
 				sig = cursig;
@ -3790,26 +4346,7 @@ int main(int argc, char **argv) {
 			fileend = sigpos;
 		}
-		BIO_write(hash, indata, peheader + 88);
+		sign_pe_file(indata, peheader + 88, pe32plus, &fileend, hash, outdata);
 		i = peheader + 88;
 		memset(buf, 0, 4);
 		BIO_write(outdata, buf, 4); /* zero out checksum */
 		i += 4;
 		BIO_write(hash, indata + i, 60+pe32plus*16);
 		i += 60+pe32plus*16;
 		memset(buf, 0, 8);
 		BIO_write(outdata, buf, 8); /* zero out sigtable offset + pos */
 		i += 8;
 		BIO_write(hash, indata + i, fileend - i);
 		/* pad (with 0's) pe file to 8 byte boundary */
 		len = 8 - fileend % 8;
 		if (len > 0 && len != 8) {
 			memset(buf, 0, len);
 			BIO_write(hash, buf, len);
 			fileend += len;
 		}
 	}
 	if (cmd == CMD_ADD)
@ -3831,6 +4368,8 @@ int main(int argc, char **argv) {
 		} else {
 			if (type == FILE_TYPE_PE) {
 				sig = extract_existing_pe_pkcs7(insigdata, 0, sigfilesize);
 			} else if (type == FILE_TYPE_CAB) {
 				sig = extract_existing_cab_pkcs7(insigdata, 0, sigfilesize);
 			} else if (type == FILE_TYPE_MSI) {
 #ifdef WITH_GSF
 				const unsigned char *p = (unsigned char*)insigdata;
@ -3994,7 +4533,6 @@ add_only:
 	if (addBlob && add_unauthenticated_blob(sig))
 		DO_EXIT_0("Adding unauthenticated blob failed\n");
 #if 0
 	if (!PEM_write_PKCS7(stdout, sig))
 		DO_EXIT_0("PKCS7 output failed\n");
@ -4072,7 +4610,12 @@ skip_signing:
 		}
 		if (cmd == CMD_SIGN || cmd == CMD_REMOVE || cmd == CMD_ADD || cmd == CMD_ATTACH)
 			recalc_pe_checksum(outdata, peheader);
-	} else if (type == FILE_TYPE_CAB) {
+	} else if (type == FILE_TYPE_CAB && (cmd == CMD_SIGN || cmd == CMD_ADD || cmd == CMD_ATTACH)) {
 		/*
 		 * Update additional data size.
 		 * Additional data size is located at offset 0x30 (from file beginning)
 		 * and consist of 4 bytes (little-endian order).
 		 */
 		(void)BIO_seek(outdata, 0x30);
 		PUT_UINT32_LE(len+padlen, buf);
 		BIO_write(outdata, buf, 4);
@ -4095,6 +4638,19 @@ skip_signing:
 			if (ret) {
 				DO_EXIT_0("Signature mismatch\n");
 			}
 		} else if (type == FILE_TYPE_CAB) {
 			outdatasize = get_file_size(outfile);
 			if (!outdatasize)
 				DO_EXIT_0("Error verifying result\n");
 			outdataverify = map_file(outfile, outdatasize);
 			if (!outdataverify)
 				DO_EXIT_0("Error verifying result\n");
 			if (!verify_cab_header(outdataverify, outfile, cmd, outdatasize, &header_size, &sigpos, &siglen))
 				goto err_cleanup;
 			ret = verify_cab_file(outdataverify, header_size, sigpos, siglen, leafhash, cafile, crlfile, untrusted);
 			if (ret) {
 				DO_EXIT_0("Signature mismatch\n");
 			}
 		} else if (type == FILE_TYPE_MSI) {
 #ifdef WITH_GSF
 			GsfInput *src;
--- a/tests/recipes/11_sign_nest
+++ b/tests/recipes/11_sign_nest
@ -27,7 +27,25 @@ if test -s "test.exe"
  fi
 # CAB file
-# Error: -nest option is only valid for PE/MSI files
+test_name="112. Sign a CAB file with the nest flag"
 printf "\n%s\n" "$test_name"
 if test -s "test.ex_"
  then
    ../../osslsigncode sign -h sha256 \
        -st "1556668800" \
        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
        -in "test.ex_" -out "test_112_signed.ex_"
    ../../osslsigncode sign -h sha512 \
        -nest \
        -st "1556668800" \
        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
        -in "test_112_signed.ex_" -out "test_112.ex_"
    verify_signature "$?" "112" "ex_" "success" "@2019-09-01 12:00:00" \
 	"UNUSED_PATTERN" "ASCII" "SHA512" "UNUSED_PATTERN"
    test_result "$?" "$test_name"
  else
    printf "Test skipped\n"
  fi
 # MSI file
 test_name="113. Sign a MSI file with the nest flag"
--- a/tests/recipes/31_extract_signature
+++ b/tests/recipes/31_extract_signature
@ -1,5 +1,5 @@
 #!/bin/sh
-# Extract the signature from the PE/MSI file.
+# Extract the signature from the PE/CAB/MSI file.
 . $(dirname $0)/../test_library
 script_path=$(pwd)
@ -23,20 +23,35 @@ if test -s "test.exe"
  fi
 # CAB file
-# Command is not supported for non-PE/non-MSI files
+test_name="312. Extract the signature from the CAB file"
 printf "\n%s\n" "$test_name"
 if [ -s "test.ex_" ]
  then
    ../../osslsigncode sign -h sha256 \
        -st "1556668800" \
        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
        -in "test.ex_" -out "test_312.ex_" && \
    ../../osslsigncode extract-signature -pem \
        -in "test_312.ex_" -out "sign_cab.pem"
    verify_signature "$?" "312" "ex_" "success" "@2019-09-01 12:00:00" \
 	"sha256sum" "ASCII" "osslsigncode" "UNUSED_PATTERN"
    test_result "$?" "$test_name"
  else
    printf "Test skipped\n"
  fi
 # MSI file
-test_name="312. Extract the signature from the MSI file"
+test_name="313. Extract the signature from the MSI file"
 printf "\n%s\n" "$test_name"
 if test -s "sample.msi"
  then
    ../../osslsigncode sign -h sha256 \
        -st "1556668800" \
        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-        -in "sample.msi" -out "test_312.msi" && \
+        -in "sample.msi" -out "test_313.msi" && \
    ../../osslsigncode extract-signature -pem \
-        -in "test_312.msi" -out "sign_msi.pem"
+        -in "test_313.msi" -out "sign_msi.pem"
-    verify_signature "$?" "312" "msi" "success" "@2019-09-01 12:00:00" \
+    verify_signature "$?" "313" "msi" "success" "@2019-09-01 12:00:00" \
 	"sha256sum" "ASCII" "osslsigncode" "UNUSED_PATTERN"
    test_result "$?" "$test_name"
  else
--- a/tests/recipes/32_attach_signature
+++ b/tests/recipes/32_attach_signature
@ -1,5 +1,5 @@
 #!/bin/sh
-# Attach the signature to the PE/MSI file.
+# Attach the signature to the PE/CAB/MSI file.
 . $(dirname $0)/../test_library
 script_path=$(pwd)
@ -21,18 +21,31 @@ if test -s "test.exe"
  fi
 # CAB file
-# Command is not supported for non-PE/non-MSI files
+test_name="322. Attach the signature to the CAB file"
 printf "\n%s\n" "$test_name"
 if [ -s "test.ex_" ]
  then
    ../../osslsigncode attach-signature -sigin "sign_cab.pem" \
        -CAfile "${script_path}/../certs/CACert.pem" \
        -CRLfile "${script_path}/../certs/CACertCRL.pem" \
        -in "test.ex_" -out "test_322.ex_"
    verify_signature "$?" "322" "ex_" "success" "@2019-09-01 12:00:00" \
 	"sha256sum" "ASCII" "osslsigncode" "UNUSED_PATTERN"
    test_result "$?" "$test_name"
  else
    printf "Test skipped\n"
  fi
 # MSI file
-test_name="322. Attach the signature to the MSI file"
+test_name="323. Attach the signature to the MSI file"
 printf "\n%s\n" "$test_name"
 if test -s "sample.msi"
  then
    ../../osslsigncode attach-signature -sigin "sign_msi.pem" \
        -CAfile "${script_path}/../certs/CACert.pem" \
        -CRLfile "${script_path}/../certs/CACertCRL.pem" \
-        -in "sample.msi" -out "test_322.msi"
+        -in "sample.msi" -out "test_323.msi"
-    verify_signature "$?" "322" "msi" "success" "@2019-09-01 12:00:00" \
+    verify_signature "$?" "323" "msi" "success" "@2019-09-01 12:00:00" \
 	"sha256sum" "ASCII" "osslsigncode" "UNUSED_PATTERN"
    test_result "$?" "$test_name"
  else
--- a/tests/recipes/33_remove_signature
+++ b/tests/recipes/33_remove_signature
@ -1,5 +1,5 @@
 #!/bin/sh
-# Remove the signature from the PE/MSI file.
+# Remove the signature from the PE/CAB/MSI file.
 . $(dirname $0)/../test_library
 script_path=$(pwd)
@ -23,20 +23,35 @@ if test -s "test.exe"
  fi
 # CAB file
-# Command is not supported for non-PE/non-MSI files
+test_name="332. Remove the signature from the CAB file"
 printf "\n%s\n" "$test_name"
 if [ -s "test.ex_" ]
  then
    ../../osslsigncode sign -h sha256 \
        -st "1556668800" \
        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
        -in "test.ex_" -out "test_332_signed.ex_" && \
    ../../osslsigncode remove-signature \
        -in "test_332_signed.ex_" -out "test_332.ex_"
    verify_signature "$?" "332" "ex_" "fail" "@2019-09-01 12:00:00" \
 	"sha256sum" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
    test_result "$?" "$test_name"
  else
    printf "Test skipped\n"
  fi
 # MSI file
-test_name="332. Remove the signature from the MSI file"
+test_name="333. Remove the signature from the MSI file"
 printf "\n%s\n" "$test_name"
 if test -s "sample.msi"
  then
    ../../osslsigncode sign -h sha256 \
        -st "1556668800" \
        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-        -in "sample.msi" -out "test_332_signed.msi" && \
+        -in "sample.msi" -out "test_333_signed.msi" && \
    ../../osslsigncode remove-signature \
-        -in "test_332_signed.msi" -out "test_332.msi"
+        -in "test_333_signed.msi" -out "test_333.msi"
-    verify_signature "$?" "332" "msi" "fail" "@2019-09-01 12:00:00" \
+    verify_signature "$?" "333" "msi" "fail" "@2019-09-01 12:00:00" \
 	"sha256sum" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
    test_result "$?" "$test_name"
  else
--- a/tests/recipes/35_varia_sha256sum
+++ b/tests/recipes/35_varia_sha256sum
@ -22,6 +22,21 @@ if test -s "test.exe"
    skip=$(($skip+1))
  fi
 if test -s "test.ex_"
  then
    if test $(cat "sha256sum_ex_.log" | cut -d' ' -f1 | uniq | wc -l) -ne 1
      then
        res=1
        cat "sha256sum_ex_.log" >> "results.log"
        printf "Non-unique SHA256 message digests found\n" >> "results.log"
      else
        rm -f test_3[1-4]*[1-2]*.ex_
      fi
    rm -f "sha256sum_ex_.log"
  else
    skip=$(($skip+1))
  fi
 if test -s "sample.msi"
  then
    if test $(cat "sha256sum_msi.log" | cut -d' ' -f1 | uniq | wc -l) -ne 1
--- a/tests/recipes/36_add_signature_blob
+++ b/tests/recipes/36_add_signature_blob
@ -1,5 +1,5 @@
 #!/bin/sh
-# Add an unauthenticated blob to the PE/MSI file.
+# Add an unauthenticated blob to the PE/CAB/MSI file.
 . $(dirname $0)/../test_library
 script_path=$(pwd)
@ -24,21 +24,37 @@ if test -s "test.exe"
  fi
 # CAB file
-# Command is not supported for non-PE/non-MSI files
+test_name="362. Add an unauthenticated blob to the CAB file"
 printf "\n%s\n" "$test_name"
 if test -s "test.ex_"
  then
    ../../osslsigncode sign -h sha256 \
        -st "1556668800" \
        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
        -in "test.ex_" -out "test_362_signed.ex_"
    ../../osslsigncode add \
        -addUnauthenticatedBlob \
        -in "test_362_signed.ex_" -out "test_362.ex_"
    verify_signature "$?" "362" "ex_" "success" "@2019-09-01 12:00:00" \
 	"UNUSED_PATTERN" "ASCII" "BEGIN_BLOB" "MODIFY"
    test_result "$?" "$test_name"
  else
    printf "Test skipped\n"
  fi
 # MSI file
-test_name="362. Add an unauthenticated blob to the MSI file"
+test_name="363. Add an unauthenticated blob to the MSI file"
 printf "\n%s\n" "$test_name"
 if test -s "sample.msi"
  then
    ../../osslsigncode sign -h sha256 \
        -st "1556668800" \
        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-        -in "sample.msi" -out "test_362_signed.msi"
+        -in "sample.msi" -out "test_363_signed.msi"
    ../../osslsigncode add \
        -addUnauthenticatedBlob \
-        -in "test_362_signed.msi" -out "test_362.msi"
+        -in "test_363_signed.msi" -out "test_363.msi"
-    verify_signature "$?" "362" "msi" "success" "@2019-09-01 12:00:00" \
+    verify_signature "$?" "363" "msi" "success" "@2019-09-01 12:00:00" \
 	"UNUSED_PATTERN" "ASCII" "BEGIN_BLOB" "MODIFY"
    test_result "$?" "$test_name"
  else
--- a/tests/recipes/37_add_signature_timestamp
+++ b/tests/recipes/37_add_signature_timestamp
@ -1,5 +1,5 @@
 #!/bin/sh
-# Add an authenticode timestamp to the PE/MSI file.
+# Add an authenticode timestamp to the PE/CAB/MSI file.
 . $(dirname $0)/../test_library
 script_path=$(pwd)
@ -24,21 +24,37 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
  fi
 # CAB file
-# Command is not supported for non-PE/non-MSI files
+test_name="372. Add an authenticode timestamp to the CAB file"
 printf "\n%s\n" "$test_name"
 if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
  then
    ../../osslsigncode sign -h sha256 \
        -st "1556668800" \
        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
        -in "test.ex_" -out "test_372_signed.ex_" && \
    ../../osslsigncode add \
        -t http://time.certum.pl/ \
        -in "test_372_signed.ex_" -out "test_372.ex_"
    verify_signature "$?" "372" "ex_" "success" "@2019-09-01 12:00:00" \
 	"UNUSED_PATTERN" "ASCII" "Unizeto" "UNUSED_PATTERN"
    test_result "$?" "$test_name"
  else
    printf "Test skipped\n"
  fi
 # MSI file
-test_name="372. Add an authenticode timestamp to the MSI file"
+test_name="373. Add an authenticode timestamp to the MSI file"
 printf "\n%s\n" "$test_name"
 if test -s "sample.msi" && ! grep -q "no libcurl available" "results.log"
  then
    ../../osslsigncode sign -h sha256 \
        -st "1556668800" \
        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-        -in "sample.msi" -out "test_372_signed.msi" && \
+        -in "sample.msi" -out "test_373_signed.msi" && \
    ../../osslsigncode add \
        -t http://time.certum.pl/ \
-        -in "test_372_signed.msi" -out "test_372.msi"
+        -in "test_373_signed.msi" -out "test_373.msi"
-    verify_signature "$?" "372" "msi" "success" "@2019-09-01 12:00:00" \
+    verify_signature "$?" "373" "msi" "success" "@2019-09-01 12:00:00" \
 	"UNUSED_PATTERN" "ASCII" "Unizeto" "UNUSED_PATTERN"
    test_result "$?" "$test_name"
  else
--- a/tests/recipes/38_add_signature_rfc3161
+++ b/tests/recipes/38_add_signature_rfc3161
@ -1,5 +1,5 @@
 #!/bin/sh
-# Add an RFC 3161 timestamp to signed PE/MSI file.
+# Add an RFC 3161 timestamp to signed PE/CAB/MSI file.
 . $(dirname $0)/../test_library
 script_path=$(pwd)
@ -24,21 +24,37 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
  fi
 # CAB file
-# Command is not supported for non-PE/non-MSI files
+test_name="382. Add RFC 3161 timestamp to signed CAB file"
 printf "\n%s\n" "$test_name"
 if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
  then
    ../../osslsigncode sign -h sha256 \
        -st "1556668800" \
        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
        -in "test.ex_" -out "test_382_signed.ex_"
    ../../osslsigncode add \
        -ts http://time.certum.pl/ \
        -in "test_382_signed.ex_" -out "test_382.ex_"
    verify_signature "$?" "382" "ex_" "success" "@2019-09-01 12:00:00" \
 	"UNUSED_PATTERN" "ASCII" "Unizeto" "UNUSED_PATTERN"
    test_result "$?" "$test_name"
  else
    printf "Test skipped\n"
  fi
 # MSI file
-test_name="382. Add RFC 3161 timestamp to signed MSI file"
+test_name="383. Add RFC 3161 timestamp to signed MSI file"
 printf "\n%s\n" "$test_name"
 if test -s "sample.msi" && ! grep -q "no libcurl available" "results.log"
  then
    ../../osslsigncode sign -h sha256 \
        -st "1556668800" \
        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-        -in "sample.msi" -out "test_382_signed.msi"
+        -in "sample.msi" -out "test_383_signed.msi"
    ../../osslsigncode add \
        -ts http://time.certum.pl/ \
-        -in "test_382_signed.msi" -out "test_382.msi"
+        -in "test_383_signed.msi" -out "test_383.msi"
-    verify_signature "$?" "382" "msi" "success" "@2019-09-01 12:00:00" \
+    verify_signature "$?" "383" "msi" "success" "@2019-09-01 12:00:00" \
 	"UNUSED_PATTERN" "ASCII" "Unizeto" "UNUSED_PATTERN"
    test_result "$?" "$test_name"
  else
--- a/tests/recipes/40_verify_leaf_hash
+++ b/tests/recipes/40_verify_leaf_hash
@ -1,5 +1,5 @@
 #!/bin/sh
-# Compare the leaf certificate hash against specified SHA256 message digest for the PE/MSI file
+# Compare the leaf certificate hash against specified SHA256 message digest for the PE/CAB/MSI file
 . $(dirname $0)/../test_library
 script_path=$(pwd)
@ -20,7 +20,19 @@ if test -s "test.exe"
  fi
 # CAB file
-# Command is not supported for non-PE/non-MSI files
+test_name="402. Compare the leaf certificate hash against specified SHA256 message digest for the CAB file"
 printf "\n%s\n" "$test_name"
 if test -s "test.ex_"
  then
    ../../osslsigncode sign -h sha256 \
        -st "1556668800" \
        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \
        -in "test.ex_" -out "test_402.ex_"
    verify_leaf_hash "$?" "402" "ex_" "@2019-05-01 00:00:00"
    test_result "$?" "$test_name"
  else
    printf "Test skipped\n"
  fi
 # MSI file
 test_name="403. Compare the leaf certificate hash against specified SHA256 message digest for the MSI file"
--- a/tests/recipes/51_verify_time
+++ b/tests/recipes/51_verify_time
@ -1,5 +1,5 @@
 #!/bin/sh
-# Verify PE/MSI file signature after the cert has been expired.
+# Verify PE/CAB/MSI file signature after the cert has been expired.
 . $(dirname $0)/../test_library
@ -21,7 +21,21 @@ if test -s "test.exe"
  fi
 # CAB file
-# Command is not supported for non-PE/non-MSI files
+test_name="512. Verify CAB file signature after the cert has been expired"
 printf "\n%s\n" "$test_name"
 if test -s "test.ex_"
  then
    TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
        script_path=$(pwd)
        ../../osslsigncode sign -h sha256 \
            -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
            -in "test.ex_" -out "test_512.ex_" 2>> "results.log" 1>&2'
    verify_signature "$?" "512" "ex_" "fail" "@2025-01-01 12:00:00" \
 	"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
    test_result "$?" "$test_name"
  else
    printf "Test skipped\n"
  fi
 # MSI file
 test_name="513. Verify MSI file signature after the cert has been expired"
--- a/tests/recipes/52_verify_timestamp
+++ b/tests/recipes/52_verify_timestamp
@ -1,5 +1,5 @@
 #!/bin/sh
-# Verify PE/MSI file signature with Authenticode timestamping after the cert has been expired.
+# Verify PE/CAB/MSI file signature with Authenticode timestamping after the cert has been expired.
 . $(dirname $0)/../test_library
@ -22,7 +22,22 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
  fi
 # CAB file
-# Command is not supported for non-PE/non-MSI files
+test_name="522. Verify CAB file signature with timestamping after the cert has been expired"
 printf "\n%s\n" "$test_name"
 if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
  then
    TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
        script_path=$(pwd)
        ../../osslsigncode sign -h sha256 \
            -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
            -t http://time.certum.pl/ \
            -in "test.ex_" -out "test_522.ex_" 2>> "results.log" 1>&2'
    verify_signature "$?" "522" "ex_" "success" "@2025-01-01 12:00:00" \
 	"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
    test_result "$?" "$test_name"
  else
    printf "Test skipped\n"
  fi
 # MSI file
 test_name="523. Verify MSI file signature with timestamping after the cert has been expired"
--- a/tests/recipes/53_verify_rfc3161
+++ b/tests/recipes/53_verify_rfc3161
@ -1,5 +1,5 @@
 #!/bin/sh
-# Verify PE/MSI file signature with RFC3161 timestamping after the cert has been expired.
+# Verify PE/CAB/MSI file signature with RFC3161 timestamping after the cert has been expired.
 . $(dirname $0)/../test_library
@ -22,7 +22,22 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
  fi
 # CAB file
-# Command is not supported for non-PE/non-MSI files
+test_name="532. Verify CAB file signature with RFC3161 after the cert has been expired"
 printf "\n%s\n" "$test_name"
 if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
  then
    TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
        script_path=$(pwd)
        ../../osslsigncode sign -h sha256 \
            -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
            -ts http://time.certum.pl/ \
            -in "test.ex_" -out "test_532.ex_" 2>> "results.log" 1>&2'
    verify_signature "$?" "532" "ex_" "success" "@2025-01-01 12:00:00" \
 	"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
    test_result "$?" "$test_name"
  else
    printf "Test skipped\n"
  fi
 # MSI file
 test_name="533. Verify MSI file signature with RFC3161 after the cert has been expired"
--- a/tests/recipes/54_verify_expired
+++ b/tests/recipes/54_verify_expired
@ -1,5 +1,5 @@
 #!/bin/sh
-# Verify PE/MSI file signed with the expired cert.
+# Verify PE/CAB/MSI file signed with the expired cert.
 . $(dirname $0)/../test_library
@ -22,7 +22,22 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
  fi
 # CAB file
-# Command is not supported for non-PE/non-MSI files
+test_name="542. Verify CAB file signed with the expired cert"
 printf "\n%s\n" "$test_name"
 if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
  then
    TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
        script_path=$(pwd)
        ../../osslsigncode sign -h sha256 \
            -certs "${script_path}/../certs/expired.pem" -key "${script_path}/../certs/key.pem" \
            -t http://time.certum.pl/ \
            -in "test.ex_" -out "test_542.ex_" 2>> "results.log" 1>&2'
    verify_signature "$?" "542" "ex_" "fail" "@2025-01-01 12:00:00" \
 	"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
    test_result "$?" "$test_name"
  else
    printf "Test skipped\n"
  fi
 # MSI file
 test_name="543. Verify MSI file signed with the expired cert"
--- a/tests/recipes/55_verify_revoked
+++ b/tests/recipes/55_verify_revoked
@ -1,5 +1,5 @@
 #!/bin/sh
-# Verify PE/MSI file signed with the revoked cert.
+# Verify PE/CAB/MSI file signed with the revoked cert.
 . $(dirname $0)/../test_library
@ -22,7 +22,22 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
  fi
 # CAB file
-# Command is not supported for non-PE/non-MSI files
+test_name="552. Verify CAB file signed with the revoked cert"
 printf "\n%s\n" "$test_name"
 if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
  then
    TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
        script_path=$(pwd)
        ../../osslsigncode sign -h sha256 \
            -certs "${script_path}/../certs/revoked.pem" -key "${script_path}/../certs/key.pem" \
            -ts http://time.certum.pl/ \
            -in "test.ex_" -out "test_552.ex_" 2>> "results.log" 1>&2'
    verify_signature "$?" "552" "ex_" "fail" "@2019-09-01 12:00:00" \
 	"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
    test_result "$?" "$test_name"
  else
    printf "Test skipped\n"
  fi
 # MSI file
 test_name="553. Verify MSI file signed with the revoked cert"
--- a/tests/sources/a
+++ b/tests/sources/a
@ -0,0 +1 @@
 aaa
--- a/tests/sources/b
+++ b/tests/sources/b
@ -0,0 +1 @@
 bbb
--- a/tests/sources/c
+++ b/tests/sources/c
@ -0,0 +1 @@
 ccc
--- a/tests/sources/myapp.c
+++ b/tests/sources/myapp.c
--- a/tests/sources/sample.wxs
+++ b/tests/sources/sample.wxs
--- a/tests/test_library
+++ b/tests/test_library
@ -73,14 +73,9 @@ search_pattern() {
      result=1
      printf "Failed: $4 not found\n"
    elif test "$5" = "MODIFY"
      then
        if test "$2" != "ex_"
      then
        modify_blob "$1" "$2" "$4"
        result=$?
         else
           printf "MODIFY is not supported for CAB files\n"
         fi
      fi
  return "$result"
@ -100,8 +95,6 @@ verify_signature() {
  local result=0
  printf "" > "verify.log"
  if test "$1" -eq 0
    then
      if test "$3" != "ex_"
    then
      cp "test_$2.$3" "test_tmp.tmp"
      TZ=GMT faketime -f "$5" /bin/bash -c '
@ -113,9 +106,6 @@ verify_signature() {
              -in "test_tmp.tmp" 2>> "verify.log" 1>&2'
      result=$?
      rm -f "test_tmp.tmp"
        else
           printf "VERIFY is not supported for CAB files\n"
        fi
      if test "$result" -eq 0 -a "$7" != "UNUSED_PATTERN" -a "$8" != "UNUSED_PATTERN"
        then
          search_pattern "$2" "$3" "$7" "$8" "$9"
@ -158,8 +148,6 @@ verify_leaf_hash() {
  local result=0
  printf "" > "verify.log"
  if test "$1" -eq 0
    then
      if test "$3" != "ex_"
    then
      cp "test_$2.$3" "test_tmp.tmp"
      TZ=GMT faketime -f "$4" /bin/bash -c '
@ -172,9 +160,6 @@ verify_leaf_hash() {
              -in "test_tmp.tmp" 2>> "verify.log" 1>&2'
      result=$?
      rm -f "test_tmp.tmp"
        else
           printf "VERIFY is not supported for CAB files\n"
        fi
      if test "$result" -eq 0
        then
          rm -f "test_$2.$3"
--- a/tests/testall.sh
+++ b/tests/testall.sh
@ -54,22 +54,24 @@ if test "$result" -ne 0
    exit $result
  fi
-# PE and CAB files support
+# PE files support
 if test -n "$(command -v x86_64-w64-mingw32-gcc)"
  then
-    x86_64-w64-mingw32-gcc "../myapp.c" -o "test.exe" 2>> "results.log" 1>&2
+    x86_64-w64-mingw32-gcc "../sources/myapp.c" -o "test.exe" 2>> "results.log" 1>&2
    if test -n "$(command -v gcab)"
      then
        gcab -c "test.ex_" "test.exe" 2>> "results.log" 1>&2
      else
        printf "%s\n" "gcab not found in \$PATH"
        printf "%s\n" "tests for CAB files skipped, please install gcab package"
      fi
  else
    printf "%s\n" "x86_64-w64-mingw32-gcc not found in \$PATH"
    printf "%s\n" "tests for PE files skipped, please install mingw64-gcc package"
  fi
 # CAB files support
 if test -n "$(command -v gcab)"
  then
    gcab -c "test.ex_" "../sources/a" "../sources/b" "../sources/c" 2>> "results.log" 1>&2
  else
    printf "%s\n" "gcab not found in \$PATH"
    printf "%s\n" "tests for CAB files skipped, please install gcab package"
  fi
 # MSI files support
 if grep -q "no libgsf available" "results.log"
  then
@ -78,7 +80,7 @@ if grep -q "no libgsf available" "results.log"
    if test -n "$(command -v wixl)"
      then
        touch FoobarAppl10.exe
-        cp "../sample.wxs" "sample.wxs" 2>> "results.log" 1>&2
+        cp "../sources/sample.wxs" "sample.wxs" 2>> "results.log" 1>&2
        wixl -v "sample.wxs" 2>> "results.log" 1>&2
      else
        printf "%s\n" "wixl not found in \$PATH"
@ -100,7 +102,7 @@ if test -n "$(command -v faketime)"
        make_tests
        result=$?
        rm -f "test.exe" "test.ex_" "sample.msi" "sample.wxs" "FoobarAppl10.exe"
-        rm -f "sign_pe.pem" "sign_msi.pem" "verify.log"
+        rm -f "sign_pe.pem" "sign_cab.pem" "sign_msi.pem" "verify.log"
      else
        printf "%s\n" "xxd not found in \$PATH"
        printf "%s\n" "tests skipped, please install vim-common package"